In a few years, storing passwords could be a thing of the past. Let’s see how and why in this article.
If you’ve been paying attention to cybersecurity lately, you’ve probably heard about passkeys. Google is already rolling them out, and they might be on the cusp of changing how we secure the internet. But what exactly are passkeys? And are they better than the password logins we’ve been using for decades?
What is a Passkey?
Passkeys aim to get rid of password logins to avoid their weak points (which we’ll get to later). Instead, an authenticator like a phone’s OS keychain or a separate password manager generates a cryptographic key pair that grants you access to other apps and websites. Of course, you’ll still need to verify your identity via the authenticator, which likely means a main password, optional facial recognition, or fingerprint scanning to speed things up.
An important aspect of the passkey concept is portability. It’s potentially very simple to sync your passkeys across your devices, as long as you have the main password to unlock things.
How does a Passkey work?
When you enable passkeys within a compatible app or website, your authenticator creates a set of public and private cryptographic keys. For secure authentication, these keys are exchanged, encrypting traffic from the outside world.
Public keys are called that because they’re stored on servers associated with an app or website. A hacker could hypothetically breach a server and steal your key, but without your main password and your private key, it’s utterly useless.
Private keys are always saved locally on your devices and are only provided to servers when something requires credentials. You must verify your identity for the process to be completed. Keep in mind that a server doesn’t need the full details of a private key, as there’s a mathematical link to its public equivalent.
Passkeys vs. Passwords: Which is More Secure?
Passkeys are generally more secure because passwords inevitably have to be stored in a remote database. Although many companies have defenses, a skilled hacker can potentially breach them, and any logins they find are immediately useful if they’re not backed up by two-step verification (2SV). The situation is worse when people reuse passwords too often: hackers might not need to bother with other servers if the same password works everywhere.
Human nature can defeat passwords in other ways too. We often don’t think hard enough about them, making them easy to guess or brute-force via repeated attempts. Sometimes we share them with people we shouldn’t, such as when we fall for phishing scams.
Passkeys aren’t invincible, of course. If someone gets hold of one of your authenticators and your main password, they could have the keys to your entire digital life, or at least everything that uses a passkey. However, that should be less likely than attacks on remote servers.
Pubblicato in Guides & Tutorials
Be the first to comment